Today, we’re joined by Rupert Marais, our in-house Security Specialist, to dissect a concerning trend of automated attacks targeting Fortinet FortiGate devices. With his deep expertise in endpoint security and network management, Rupert will shed light on a new cluster of malicious activity that leverages Single Sign-On (SSO) vulnerabilities to compromise firewalls. We’ll explore the anatomy of these attacks, the strategic choices made by the threat actors, and the critical steps organizations must take to defend their networks, especially when even patched systems appear to be at risk.
Recent attacks on FortiGate devices involve malicious SSO logins and firewall configuration exfiltration. Can you walk me through the typical stages of this automated attack, from the initial breach using a crafted SAML message to achieving persistence on the device?
Absolutely. The attack chain is ruthlessly efficient. It begins with the adversary exploiting a known vulnerability, like CVE-2025-59718 or CVE-2025-59719, which allows them to bypass authentication. They send a specially crafted SAML message to the FortiGate device’s SSO login portal. Once the system is tricked into granting access, the first automated action is often a malicious login using an account like “cloud-init@mail.io” from one of several known hostile IP addresses. Immediately following this, the automation script exfiltrates the entire firewall configuration file back to those same IP addresses. This gives them the blueprint of the network’s defenses.
Attackers have been observed creating generic accounts like “secadmin” or “itadmin” for persistence. What is the strategic value of using these specific account names, and how does granting them VPN access escalate the threat for an organization?
The use of generic names like “secadmin,” “itadmin,” or “support” is a deliberate act of camouflage. These account names are designed to blend in with legitimate administrative accounts, making them less likely to be flagged during a routine audit. An administrator might see an account named “remoteadmin” and assume it’s an old, forgotten service account rather than an active threat. Granting these accounts VPN access is the critical next step that elevates the breach. It transforms a localized device compromise into a persistent, remote foothold deep inside the network, allowing the attacker to bypass the firewall’s perimeter defenses at will.
The speed of these attacks, with multiple events occurring within seconds, suggests automation. For a security team monitoring their network, what are the key forensic indicators of this type of automated activity, and how can they differentiate it from a manual intrusion?
The primary indicator is the sheer velocity of the events. When you see a malicious SSO login, a full configuration file exfiltration, and the creation of a new administrative account all occur within seconds of each other, it’s a near-certain sign of an automated script. A human attacker simply cannot operate that quickly. Another key forensic clue is the source IP address. These automated campaigns often originate from a small, specific list of IPs, such as 104.28.244[.]115 or 37.1.209[.]19, which can be correlated across incidents. This combination of speed and repetitive patterns is the classic signature of machine-driven activity, contrasting sharply with the slower, more exploratory, and often error-prone trail left by a manual intrusion.
Given that the FortiCloud SSO feature is a primary vector, what are the operational trade-offs for an organization that disables the “admin-forticloud-sso-login” setting? Could you detail the immediate security benefits versus any potential administrative drawbacks they might face?
Disabling the “admin-forticloud-sso-login” setting is a decisive defensive move. The immediate security benefit is that you shut the door on this entire attack vector. You effectively remove the vulnerable service, making it impossible for attackers to exploit these specific SSO vulnerabilities. The trade-off, however, is purely operational. Your administrative team loses the convenience of a centralized, single sign-on experience for managing the FortiGate devices. They’ll have to revert to managing local device credentials, which can be more cumbersome and slightly increase the administrative overhead, especially in larger environments with multiple appliances.
There are reports of fully-patched FortiOS devices still experiencing these malicious SSO logins. What could explain this persistence on patched systems, and what steps should an administrator take if they suspect a patch has not fully remediated the vulnerability?
This is an incredibly alarming development. If a fully-patched device, such as one running version 7.4.10, is still being compromised, it points to a few possibilities. The patch itself might be incomplete, failing to address the root cause of the vulnerability, or a new, undisclosed zero-day vulnerability is being exploited alongside the old one. If an administrator sees these signs, they cannot rely on the patch. The first and most critical step is to immediately disable the “admin-forticloud-sso-login” setting to block the attack vector. Afterward, they must preserve logs, isolate the affected device if possible to prevent lateral movement, and immediately contact Fortinet support to report the breach on a patched system.
What is your forecast for the evolution of attacks targeting SSO and identity management features in network security appliances?
I believe we are at the beginning of a major trend. As organizations continue to embrace centralized identity and SSO for ease of use, these systems will become increasingly high-value targets for attackers. Threat actors are shifting their focus from just hunting for software bugs to exploiting the logic of identity and access management systems. I forecast that we’ll see more sophisticated attacks that don’t just target a single vendor’s SSO implementation but are designed to pivot between cloud identity providers and on-premise network appliances. Securing the identity layer of our infrastructure will become just as critical as patching the software that runs on it.
